The amount of money and labour that financial institutions have spent on securing their perimeter makes them a less fruitful target for cybercriminals. But it’s the small to medium-sized businesses that are the seldom-discussed goldmine now, said an executive with Cupertino, Calif.-based Symantec Corp.

From a hacker’s point of view, larger organizations in the financial services sector may offer the biggest bang for their efforts considering the amount of sensitive data they transact, but SMBs lack the resources to protect their perimeters, said Symantec’s Dean Turner, director for global intelligence network.

“Your small-medium business owner is the accountant, he’s the CEO, he’s the IT guy, the sales guy, the chief cook and bottle washer,” said Turner. “And that’s a lot on one person’s plate.”

Turner was referring to a recent report by Symantec entitled Report on the Underground Economy that discusses a thriving ecosystem of cybercriminals advertising and selling stolen data like credit card information and financial accounts to meet demand.

According to the report, credit card information is the most advertised category of goods and services in the underground with stolen data available for as little as 10 cents to $25.

Brian O’Higgins, chief technology officer with Ottawa-based intrusion prevention technology vendor Third Brigade Inc., said what makes SMBs a target is the lack of resources, expertise and awareness – the “triple whammy.” Yet, he added, SMBs, like enterprises, are also running transactions and servers that cybercriminals want to target.

“It’s the same principal that you leave the lights on, the door locked in your neighbourhood,” said O’Higgins, “because the house that’s in the dark and the door is unlocked is going to get broken into first.”

But while enterprises may have resources to assign a dedicated individual to ensuring perimeter security, they aren’t exactly out of the woods, said Turner. Enterprises, too, must perform risk analysis, identify where confidential data resides, and protect and back up that data, he said, “because they should know that attackers are going to be targeting them if they can.”

The corporate arena isn’t the only target for cybercriminals. Employees have home PCs which also factor into an enterprise security strategy, said Turner, adding that a “good proportion” of today’s malicious code and attacks are installed while browsing the Web. Therefore, enterprises must introduce policies regarding social network sites and using home PCs for work, for instance. “What if they picked up a keystroke login Trojan off their home system and brought that back into the enterprise network [on a USB key]?” said Turner.

“There is so much money at stake in the underground economy,” said Turner, adding that a specific cross-side scripting vulnerability for a financial Web site for instance is potentially worth thousands of dollars for a hacker who wants to include the code in an attack tool kit.

Actually, Turner refers to the Underground Economy as a “self-sustaining economy” where “everything you need to be successful and drive and support the economy is contained and is for sale.”

But while cybercriminals may be creating these attack tools en masse, security vendors are quickly adapting to these attacks by producing security tools, said Turner. That said, the cybercriminals, in turn, are updating their tools to keep up.

Turner isn’t so confident that organizations are aware of the gravity of such a thriving underground economy due to a lack of studies that have placed a dollar value on these underground transactions. And besides, he said, cybercriminals are “not filing annual SEC reports, they are not filing taxes.”

The security industry has been aware of thriving cybercriminal activity for a number of years, said O’Higgins, but everyone else is just catching on. “It’s getting bigger all the time and has hit critical mass where it’s noticed by everyone,” he said.

Individuals and organizations just need to migrate from an analog risk assessment approach to one that makes sense for the online world, said Turner, because “in the digital world, this is still relatively new for most of us.”